Yup. Lockfiles are for reproducibility. The hashes are some security sugar, but you have to trust the lockfile if you want some semblance of security. Usually that means having the lockfile generation be automated by a trusted system.